Stopping a Virus Writer

New here!
I have heard that this is the best MB for newbies like me.
My question: How can I stop or report a person who is writing viruses?
What information do I need to report them?
I am a longtime member of a MB about Hedgehogs and recently we have gotten a troll who I believe is writing viruses and sending them to certain repected members of our MB. Whenever this troll gets pissed at somone on the board, they end up with a virus. It has happened to four people so far. We on the above mentioned MB are a peaceful group of people who simply love to talk about their pet hedgehogs. We are not computer experts as you guys here are, and we don't know how to stop this guy. We are in danger of losing our MB if we can't stop the viruses because our members are scared to post. Most of our members are older folk and kids. We have banned this guy several times but he keeps finding a way to change his IP address and keeps coming back. Our MOD's have tried everything they know. This guy is good!
What I don't understand is why this guy would be causing all of this trouble to a small message board that is about pet hedgehogs!
Can someone please help us or direct us to a site where we can get help to stop this guy?
Thank you in advance

Quote:

---

Originally posted here by jett1960
New here!
We have banned this guy several times but he keeps finding a way to change his IP address and keeps coming back.

---

This statement implies that the MOD's are banning this person via his/her IP address. If that's the case, it may be as simple as tracing the current IP address back to the ISP and then reporting him/her to the ISP. Usually at an e-mail address like "abuse@his/herISP.com".

Cheers:

Why don't you get up to date antivirus and personal firewalls?
If you have those the troll wouldn't be able to do anything other than be a pain in the arse.
I doubt there is much you can do unless you can go round to his house and kill him. Get your machines locked down and he'll soon get bored and piss off.

Links for freebies:

Free antivirus
http://www.avast.com/eng/avast_4_home.html
or
http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5

Free firewall
http://www.zonelabs.com/store/conten...eeDownload.jsp

BTW I don't think you are supposed to keep hedgehogs as pets.
If you are in the UK you could get in touch with St. Tiggywinkles and they could release them back into the wild.
http://www.sttiggywinkles.org.uk/

Quote:

---

Why don't you get up to date antivirus and personal firewalls?

---

They believe the guy is writing his own viruses... most AV software would have difficulty catching those. It would be a lot of work to set that up, and with possibly little benefit. I would go with DjM's idea and report him to his ISP. His ISP can be found by punching his IP address into the Whois field at http://www.arin.net. You can then follow the links the answer provides you with to find an abuse email for his ISP.

You could also try banning his entire ISP from the board and see if that works. If he uses a large ISP, though, you might end up banning innocent members as well, so use that with caution. Banning his IP address won't be of much use, though, since most ISP's assign addresses dynamically every time a user connects. So all he has to do is close his internet connection and reconnect. He gets a new IP address and he's back in. He might not even notice that you banned his last address.

Hope that helps.

Just a question...

Have you banned only his IPs? You have banned his actuall nick as well, right? Heh. Just asking.

Quote:

---

Originally posted here by Aspman
Why don't you get up to date antivirus and personal firewalls?
If you have those the troll wouldn't be able to do anything other than be a pain in the arse.
I doubt there is much you can do unless you can go round to his house and kill him. Get your machines locked down and he'll soon get bored and piss off.

Links for freebies:

Free antivirus
http://www.avast.com/eng/avast_4_home.html
or
http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5

Free firewall
http://www.zonelabs.com/store/conten...eeDownload.jsp

BTW I don't think you are supposed to keep hedgehogs as pets.
If you are in the UK you could get in touch with St. Tiggywinkles and they could release them back into the wild.
http://www.sttiggywinkles.org.uk/

---

Thank you for the links. One person who got the virus was behind a firewall and we all have updated antivirus software. It has not seemed to prevent these viruses.
Hedgehogs are legal in all but 6 states in the US. Among those illigal are Vermont, Penn., NY, CA, AR. All in our group live in legal states. We are very much against owning a hedgehog in an illegal state because those states will put to death any hedgehogs found. Although the African Pygami hedgie has not been imported since 1990, there have been sufficent numbers imported before then to keep many active lines of breeding. The UK hedgie is illegal anywhere in the world to own. I live in TN and personally am owned by three hedgehogs that I have rescued from animal shelters in several states. Myself and the members of my board treat our hedgies as if they were our own children. Our hedgies are usually allowed free roam of the house as they are as easy to litter train as a kitten would be and are usually quite friendly and very intelligent creatures. I'm sorry, I have gotten off topic.
Thank you for your suggestions!

Quote:

---

Originally posted here by DISLEX
Just a question...

Have you banned only his IPs? You have banned his actuall nick as well, right? Heh. Just asking.

---

Good question.
Yes, we are banning him as per his email account which has to be an account from an ISP. No free email accounts are accepted. We don't kow how he keeps getting different ISP email accounts and yes, he keeps coming back under different names. He has used 8 different email accounts and names to date.

Thank you all for the replys so far. I am taking notes!
I've been looking around this board and my friend was right, this is a most awesome message board even if I don't know most of what is being talked about! lol
Please keep the suggestions coming and Thank You again!

How are these 'Viruses' being delivered? Do they come as an e-mail attachment, or via IM? How do you know they are viruses, what do they do?

Cheers:

If you post your website somebody might be able to figure out how he keeps signing up with new email accounts.

Of course, I have 5 addresses available through my ISP, which I can change anytime I wish. He might be doing that too.

Quote:

---

Originally posted here by DjM
How are these 'Viruses' being delivered? Do they come as an e-mail attachment, or via IM? How do you know they are viruses, what do they do?

Cheers:

---

I believe that they are coming in as attachments but I am not sure. I myself haven't gotten one. Yet.
The virus are attacking the antivirus programs themself. They won't allow one to access the website of the particular antivirus being used at the time. As in Norton and McAfee. I can come back here later with an exact description and method of delivery.

Quote:

---

Originally posted here by Striek
If you post your website somebody might be able to figure out how he keeps signing up with new email accounts.

Of course, I have 5 addresses available through my ISP, which I can change anytime I wish. He might be doing that too.

---

Our website is
http://www.chins-n-quills.com/forums/
I will be getting exact information from those affected shortly today or tomorrow so that I can answer questions with more knowledge.

Quote:

---

Threads: 61,145, Posts: 593,557, Members: 3,713

---

Thats some forum .............
As it's that size, I would HOPE your admin / mods were better able to protect your assets.

As previously requested :

Delivery method : EMail attachments can be stripped by default ? [OE anyway :)]

Numbers involved in attacks : How many members are targeted ? - how often ? - same people ? or different each time ?

time line of attacks : when did you notice them starting ? When do you SUSPECT they started ?

frequency of attacks : how long from p155ing him off to getting attacked ? - lifecycle of an attack ?

Quote:

---

Originally posted here by foxyloxley
Thats some forum .............
As it's that size, I would HOPE your admin / mods were better able to protect your assets.

As previously requested :

Delivery method : EMail attachments can be stripped by default ? [OE anyway :)]

Numbers involved in attacks : How many members are targeted ? - how often ? - same people ? or different each time ?

time line of attacks : when did you notice them starting ? When do you SUSPECT they started ?

frequency of attacks : how long from p155ing him off to getting attacked ? - lifecycle of an attack ?

---

I have found out that I was wrong before. I said that my board required a ISP email account to regester. In fact, one can use a free web email such as yahoo and regester. I know that changes things. I will have answers to these questions within the next day or two. Thank you everyone who is trying to help!

Ok, this is what I have been able to find out for sure so far:
The MOD's are banning this guy by his ISP but he keeps coming back using a different ISP somehow.
The viruses are coming in an attachment both in MSN messager and in email and the attachments are made to look as if they are coming from someone reliable. I don't know if the attachments can be stripped by default.
There have been four people attacked so far in the past month. Each time the virus is different. One of the viruses was named "mitleader", I don't know what the other one is named yet. It's hard contacting the people affected because their PC's are down and they are having to use someone elses. Every time the same people are being attacked. One of them is one of our MODS. They are the same four that have had words with this guy on the board. The attacks started about one month ago and two of the four have been hit twice. One person got the first virus, spent a great deal of time and money getting rid of it and today was attacked again. This time the virus sent itself to everyone in her messanger list.
The attacks seem to be occuring within two days of this guy getting pissed off. I suspect that there are more victims that have gotten a virus but don't know where it came from. It's just kinda funny that the same four people who he has had words with are the ones being attacked so we are pretty sure who is doing it. I don't understand what is meant by "the life cycle of attack". I will have more information tomorrow or the next day as the MOD's and I are getting together to discuss this.

I would still put out a recomendation to everyone on your board to get firewalls and up to date AV. It may not help but it won't do any harm. Get their machines patched up as well.

Are you able to tell where this troll is geographically? If you can narrow their location down to a country it may be worth contacting the law enforcement there. Obviously that is easier if it is the US. I don't know how helpful they would be but you never know.

Have you spread the information around your board that there is a Troll speading viruses and that your members should be very wary of opening any attachment even it it appears to come from a trusted source.

You could also recommened that everyone double check the source of an attachement before opening. I.E. Mr A. recieves an attachment addressed From Mrs B. Mr A. emails Mrs B. to confirm the attchment was sent from Mrs. B. If B confirms that she sent it A can open it. If B does not know about the email it is probably sent by the Troll and should be deleted.

I'm not an msm user so I'm not sure if the above would work for it.

the Troll can make his messages appear to come from other members of your board quite easily but it is much harder for him to intercept messages going back out.


Just a thought: If this little **** is writing new viruses which are not being caught by your AV (which is up to date), how do you know you've got a virus?

We didn't want to panic anyone at first because we were not totally sure that what was suspected was true but after yesterday, we now are convinced that our troll is sending these viruses. Therefore we will be following your advice and warning our members and suggesting what you did. BTW, you have some very good suggestions, thank you.
We know it's a virus because no matter how he writes it, it does the same thing. Among other things it denies the user access to their respective antivirus programs. It's the same four people getting the same virus, and in some cases, twice. It's the same four people who have had words with this one guy and he has threatened to "get you" before to these members. However yesterday it was sent to a member who had had it before and this time was caught by her antivirus program (Norton). I instructed her to save all the information about it that she could but I don't know if she understood me. I have been thinking of going at this guy myself to see if I can piss him off enough to send ME one so that I can get more information about it. I am behind a firewall and am up to date and have saved all important stuff from my pc in case I have to reformat. My pc is rather old and I have been thinking of getting a new one anyway.
We are pretty sure he is in the Texas area.
A while back, on the Tennessee Titans Message Board there was a guy that started sending me viruses. I knew it was him because everytime we got into it, within two days I got a virus. If I stayed off the board then the viruses would stop. Within two days of being back on the board they would start up again. I was lucky and my antivirus program caught each one but it was scary enough that I finally just quit going to that board. I don't want this to happen to our hedgehog board. I feel that I have been run off of one board this way and refuse to be ran off or intimadated into leaving the hedgehog board.
Thanks for all of your suggestions. I am taking notes and fully intend to see this to the end!

Quote:

---

Originally posted here by jett1960
Ok, this is what I have been able to find out for sure so far:
The viruses are coming in an attachment both in MSN messager and in email and the attachments are made to look as if they are coming from someone reliable.

---

For the ones that come in via email attachments, check the headed records on the email itself. These records should give some idea to where the email is actually originating from. If you don't know how to read the header records, remove any personal information from the header record and post it here, we'll see if we can track it down.

Cheers:

I was looking around on the board you posted. I did not see anything letting members know that someone using the boards may be spreading viruses. You should talk the Admin/s into making ATLEAST a post stating this. Maybe make it a sticky in EVERY forum. You may want the board to send an email or PM to everyone letting them know. Of course do not include the suspect. When you let the members know, I wouldn't tell them that persons user name JUST incase he is not to blame. Just state the fact that there is someone (more than likley) on the board spreading viruses around. Let them know that it seems to be spreading through instant messengers, emails, and however else you may think. Let them know it is in their best intrest to:

1. Have an UPDATED virus scan installed. (If they need one, I recomend www.Avast.com . There are other free ones as well. )

2. Have the latest Windows updates.

3. Install and update Ad-Aware. ( http://www.download.com/3001-8022_4-10319876.html )

4. Install and update Spybot. ( http://www.download.com/3001-8022_4-10289035.html )

5. Run a firewall.

6. Scan EVERY file sent to them no matter who it is sent from, or what it is sent through.

7. GOTO 6!

8. Check for updates to everything AGAIN... again, AND OVER.

9. Run the scans OVER... over, AND OVER!


Also, you may want to let them know it may be a good idea to disconnect from the Internet while not at the computer.

Good luck and keep us informed.

One of our MOD's will be here shortly and she can give better information .
I would like to say thank you to everyone who has tried to help us.
We are listening to what your saying and will take your advice!
The MOD's name on here will be "Tindale".
Thanks again!

Hi guys and gals,

A huge thanks to jett1960 for getting me over here. I have friends in Network Security, but they are unfamiliar with vBullitin. They have been able to pull-up some of the ISP Owner info for our attacker. I just do not know the steps to take to "smack down" this/these idjits.

I have several AIM and MSMessenger IDs being reported to me as part of the harrassment. I have many, many AOL IP Addys that are on the hot list (and used by many, many of my members -- I hate Dynamic IP). It's been over 3 weeks since this started and I want it over. I'm tired of having to read every post of from newbies to see if it's related to the problem. And once I flag them "clear" after about 10 posts, I do not have the band-width to read 100% of the posts going up. That's when things got to hell in a handbasket with a bow on top.

I'm going to re-read the questions and requests and compile answers. I hope we can get to the bottom of this before the end of the month.

Greatful,
Sandra

I believe that with vBulletin you can ban an IP range. If the culprit is using a service like AOL or other ISP that uses dynamic IP addresses, you can ban the subnet (correct terminology?) Be aware that any legitimate members on the same subnet would be banned too, however.

Also, opening attachments that you aren't explicitly expecting, even if the e-mail is supposedly "from a friend," is a bad idea these days. I never let my wife open e-mail attachments from her sister, because her sister's husband visits unsavory sites and their PC is probably virus infested.

HardCode, that's my problem...he's been using the same sub-set of addresses as dozens of legit members. I can't knock them all off-line!

And *I* know better re: attachments. My background includes being the Admin Assistant to the MIS departments of a non-profit in NYC and RandomHouse Books, back when we were taking typewriters away and giving them Macs or PCs (Win 3.x)...I feel old.

Foxyloxley : I've been dealing with the backside stuff for almost a year now (or so it seems). I did not create the Forum, nor am I fluent in all that vB can do for me. As an Admin Assistant, I can learn software quickly when it makes sense. vB doesn't always make sense to me. I also just deleted ~4k users, and have about 37k threads waiting for double checks (they're about 18 months old) before we totally delete them.

DISLEX : I've held off on ramping up the warnings posted to the group. Those who have been tangling with him, are getting PMs (Private Messages) from me to ignore everything they get from unknown IDs and to block them immediately. I do want to re-write the entire Forum's FAQ, but that takes time and needs to be approved by the Forum Owners who are busy running their own business to keep this afloat. I'm just a lowly volunteer who's a good friend of their's and sits at a desk all day waiting for (real) work to come in.

As for time line of attacks ? I tend to get an IM via AIM from DirkBlackwell about 5-10 minutes after someone posts about the users: hitoll or hedgiemommie . Hitoll and hedgiemommie are a couple (or so I'm told). Hitoll is apparently gay, but I have nothing against that...40% of my friends are Family.

Hitoll's data:
IP registered with: Aim Chat: Yahoo! ID:
hitoll, [email protected]; 207.191.206.208 dirkblackwell hitoll2
207-191-206-208.cpe.ats.mcleodusa.net is in Louisiana?
hitoll2, [email protected];
207.191.206.208 dirkblackwell hitoll2
hitoll2525, [email protected]207.191.201.59 dirkblackwell hitoll2

Hedgiemommie's data:

hedgiemommie, [email protected] 207.191.220.68
207-191-220-68.cpe.ats.mcleodusa.net
kaiteedydlies, (deleted as it looked like the person he was hunting) 152.163.100.195 cache-rtc-ad01.proxy.aol.com

kristyfriends, 152.163.100.198 (cache-rtc-ad04.proxy.aol.com) [email protected]

Anuslicker, Pokeypete, and such deleted without regard to where created...

SUSPECT (but not 100% sure yet): Hedgehogsrock88, 68.202.157.37, (37.157.202.68.cfl.res.rr.com) and 68.202.157.138, (138.157.202.68.cfl.res.rr.com)

I've been told by DirkBlackwell, that I "took out" 4 of his computers and half of his home town. :D Sadly, I know he's found another ID to use, and we think it's: hedgehog69

Hedgehog69's data:

hedgehog69, [email protected] 64.12.116.195
cache-mtc-ad01.proxy.aol.com
152.163.100.195 AOL
152.163.100.198 AOL
205.188.116.201 AOL
205.188.117.7 AOL
64.12.116.195 AOL
64.12.116.198 AOL

We've also been just deleting all IDs created using obscene language, as I'm not wasting my time with all those junk yahoo.com accounts.

Is there anything else I can pull together to help with getting this under control?

Hi Tindala, do you keep any log files that will be able to 'prove' this individual is on the AOL network (something that lists his/her IP?). If so, collect as much as you can and forward it to the abuse email for AOL. Now I have never used AOL, but others here don't seem to have a very high opinion of their service, but this may be a start. I doubt your going to get this solved by the end of the month unless AOL thinks its serious enough.

It's still a good idea to post a warning to your members that this type of abuse is going on and until you can get it resolved with AOL, members should be extremly careful of any email attachments.

Cheers:

I have logs that tell me that a user has used a particular IP address. I'm not sure where I would find time stamp data...I'm sure it's available. Everything else seems to be. :rolleyes:

The key here, is that I've been told they are using Qwest...and I'm not seeing Qwest IPs. Do they "sub-let" buckets of addresses from AOHell?

Quote:

---

Originally posted here by Tindala
I have logs that tell me that a user has used a particular IP address. I'm not sure where I would find time stamp data...I'm sure it's available. Everything else seems to be. :rolleyes:

The key here, is that I've been told they are using Qwest...and I'm not seeing Qwest IPs. Do they "sub-let" buckets of addresses from AOHell?

---

Who "told" you they were using Qwest? The IP's you have list above for Hedgehog69 all trace back to AOL.

There is a phone number for the abuse line at AOL 703-265-4670, I am not sure if that will get you anything, but it might be worth a try.

Cheers:

DirkBlackwell...in AIM. I baited him with "I'veblocked the AOL IPs has far up as I'm comfortable,since there are manyusers on AOL"...DB came back with "AOL??? We're on Qwest DSL."

What are the possibilities that this guy is using a proxy server to mask his true IP? Oh and Tindala, if he's not using a proxy then that last statement might just be this guy trying to throw you off his track. If someone were to call me out on something like that my first reaction wouldn't be "oh man, you got me! LOL, how'd you find my ISP?!?!". This sounds like it might be a kid who is on AOL and very bored. If he thinks you found him out he's going to do whatever it takes to get you off his back.

What ID is the troll currently using? (or do you suppect many?).

Cheers:

Suspect IDs:

hedgehog69
Hedgehogsrock88

The key is, he's found an ISP that's not "local" to him...so, just searching against all the Louisiana ISP's for hitoll and hedgiemommie...won't help.

And how do you ban? By nickname or IP or both? Every board has it's trolls, we have a bucket full here. They get banned, come back and get banned again (and so on and so on). I am not sure your going to be able to rid yourself of this troll (some are very determined) unless you can find his/her location. Did you check the header records of any of the infected emails (or do the viruses just get delivered via IM).

Cheers:

/Edit
Sorry darl'in, I got to go for now, meeting with my lawyers (don't ask). I am sure someone else here will pick-up on this thread and hopefully be of some help (tiger...you out there?). If, not I'll be back tomorrow and try to help (no guarantees ).

Cheers:

DjM, thanks for the tips so far. I understand having to deal with lawyers...been there/done that.

I'm blocking IDs and IPs (xx.xx.xx.xx and xx.xx.xx) when there aren't more than 2 people impacted). IF I go up to xx.xx...I then catch too many of my regular users.

I've been lucky...no infected emails or IMs have gotten to me. I'll go ask those impacted if they have any printouts/captured data and report back.

Thanks for all the tips!

I've noticed a few things about this thread i think need looking at:-

1. Thread title - he's not a virus writer - see below.

2. The "virus" attacks AV software: This is pretty sophisticated considering most AV software is protected within the system.

3. NAV picked up one of the recent attempts to infect: If NAV picked it up on anything but the "Bloodhound Technology" then it is a known virus.

This all points to this person simply sending out a known virus and your users not having appropriately updated AV software. This is hardly unusual no matter how much they protest that it is.

You are in the classic situation of providing a _public_ service and having a malcontent screwing with you. You could block all the AOL netblocks but that will both kill your current users that come from AOL and it will not stop your little malcontent because he may be using someone elses computer as a zombie to enter through AOL... He could be on any ISP in the world - he could be using his local library....

Your only real course of action is to point out that hedgehog care does not require the transmittal of files - especially executables - between the users and as such _any_ file sent by anyone on the board must be considered suspect and deleted without opening it.

By the simple nature of the system you run you cannot stop him unless you can get him arrested. Since it will be extremely difficult for you to be able to show greater than $5000 loss to any individual or to the board itself law enforcement probably won't help you - unless you have a hedgehog keeping LEO on the board that would go to bat for you and convince someone that the aggregate cost exceeds $5000 - then you might be able to get them involved and track him for you....

I'm afraid that no matter how much information you show us here it is really not feasible for anyone here to be able to help you with the lag time in messages, (real time would be needed).

Hi Tiger Shark,

<sigh> That's what I had figured...kinda like teens who steal all the straws/napkins at McDonalds...until you (1) catch them doing it and (2) prove it's valued at $X...not a damned thing you can do but refill the straw/napkin dispensers.

What I was really hoping to find out is if he was on a small enough ISP to call. AOHell isn't going to be of help (and thanks for that ph#...just not the right amount of damages here). There's 4 of us who are in essence stalking all newbies on our board to make sure they behave. At some point, I feel "ok" about them and quit "moderating" their posts. The thing is, he's keeping his ID close, and posting very little (if at all).

It's the attacks via IM (AIM, MSMessenger, Yahoo!) that have us concerned. He's sniping certain members, and then sending viri via a chat window. And that there's a common thread: all members of CnQ who have gone head-to-head with the original 2 IDs (hitoll and hedgiemommie). I guess I'm wanting to lash out in frustration after 3+ weeks of this hell.

Quote:

---

This all points to this person simply sending out a known virus and your users not having appropriately updated AV software. This is hardly unusual no matter how much they protest that it is.

---

any chance of 'capturing' the attachment [forward the mail] to someone here [volunteers :D] to take a look at it, to prove Tiger~'s thoughts ?

OR
get someone who receives one to forward the mail to YOU ......... run full A/V against it to see what the beastie is.

I could be game...but with Starband.net as my provider, they are trapping anything coming through before I even see it. And my alternate accounts are on gmail...I'm sure they are just making viri mail disappear.

Hmmmmmmmm, let me see if anyone's in a position to victimize me.

Hi Sandra

My first one was from [email protected] It was titled jokes and said
something like here's some jokes. It gave me the W32/Mitglieder.cg virus.

This one is called Morphine. It gave me 5 different things.

thehedgieden@hotmail [1]. com->(morphine)
cmdrun.exe ->(Morphine)

No spaces in either of them and my virus program can't remove them but says it has
stopped them from accessing my computer.

The other 3 are security risks.

MediaAcc.dll -> (UPX) named W32/Windu.F

MediaAccess.exe ->(UPX) same name as above W32/Windu.F

MediaAcck.exe ->(UPX) Security risk W32/Windu.D

The virus program deleted them.

This second one came over msn from a Chad Cortese who is TucknRoll on here. Chad
hasn't got hedgies, I have his, so he doesn't come on anymore but I wonder if this
is coincidence that it came from another CnQ member. Ok, I'm getting paranoid.
lol

We went to the computer store where we got the computer and the guy there looked up
the two top ones and said they are nasty and partly undetectable which is why the
virus program can't delete them.

My husband went on some sites and they said they are low risk and easily removed.
Ya right, that's why I can't remove them. ARGHHHHH

It would be interesting to know which one Tawana got as she must be having real
problems.

I was talking to Blueberrybuds, Yeah I know unbelievable, lol She said she is
having wierd issues with her computer. She also said Hitol has told her he is
badmouthing her all over.

If I think of anything else I'll let you know.
Nancy

I have the horrible feeling that this isn't so much an attack as a viral infection amongst the members of the group....

Can you give any evidence to the contrary?

Quote:

---

a viral infection

---

:confused:
Are you thinking that there WAS an infection, and it has just STAYED ?
posting itself around the forum ?

catching out members, never been caught AND sanitised ?